Anonymity Systems and Their Adversaries
Welcome, readers! Today we present another adaptation of material by Pavlu and Vergil.
Players in the “Anonymity” Game
There are three main types of players in the game of online anonymity:
- Users who communicate with other users and/or destinations.
- Adversaries (archetypal attackers) whose goals include monitoring and blocking communications, identifying users, associating users with other users or destinations, impersonating users, or compromising users and destinations.
- Services and systems that protect user communications by providing a mix of anonymity, freedom, privacy, and security. Since anonymity reduces the risk of targeted attacks, these are best viewed as anonymity systems.
This article first provides a brief overview of existing anonymity systems, then examines how each is vulnerable to adversaries with different capabilities.
Encryption and Its Limits
It’s important to remember that none of these anonymity systems provide end-to-end encryption between users and destinations on the internet. All traffic between users and system exit nodes is encrypted, but traffic between exit nodes and destinations is not, unless users and destinations use end-to-end encryption (such as HTTPS for websites, TLS for email, or SSH for remote logins).
For email, anonymity systems hide the user’s IP address assigned by their provider, but do not affect other metadata like email addresses, subject lines, or timestamps. Even with end-to-end encryption between users and their mail servers, message content is not encrypted between mail servers unless users and their correspondents use end-to-end encryption like OpenPGP.
Types of Anonymity Systems
For general internet access, there are two main types of low-latency anonymity systems: numerous VPN services and the onion-routing network Tor. Both use encryption to ensure privacy and security between users and system exits. However, it’s always wise to use end-to-end encryption, since exit nodes (and adversaries monitoring them or the destinations) can otherwise see unencrypted traffic.
Each system provides anonymity in its own way, with varying effectiveness against different adversaries. This discussion excludes various proxy services like SSH tunnels (which are harder to use), as well as web proxies and browser plugins (which are easier to compromise). Freenet and I2P are also not considered here, as they are not designed for general internet access.
VPNs
VPN services are the simplest type of anonymity system. Once a user and a remote VPN server establish an encrypted virtual network connection, the server acts as a proxy for all the client’s internet traffic. Services using properly configured OpenVPN or IPsec protocols (but not PPTP) provide strong protection and privacy (with perfect forward secrecy) between users and system exits.
VPNs provide privacy by hiding destinations from ISPs, and anonymity by concealing user information (such as ISP, identity, and geolocation) from destinations. Both destinations (and their network observers) see only the VPN server’s IPv4 address. VPNs have much lower latency and 10–20 times higher bandwidth than Tor.
Reliable VPNs use perfect forward secrecy. For OpenVPN, this means TLS with ephemeral symmetric session keys, negotiated on the fly after server and client authentication. These keys are unpredictable and change frequently (by default, hourly). If an adversary compromises a session, only that session’s traffic is exposed; past and future sessions remain secure.
VPNs are easy to set up and use, as providers handle the technical details. However, the privacy and anonymity they provide depend entirely on the operator’s integrity, technical competence, and ability to prevent surveillance, manipulation, or compromise by adversaries.
VPNs offer strong protection against local adversaries and good protection against censorship and routine mass surveillance, even at the national level. However, they provide limited protection against adversaries with international reach, who may coerce providers or their hosting/ISPs to monitor, manipulate, or compromise servers. They also offer limited protection against determined and resourceful censors.
In some jurisdictions, VPN providers may receive court orders they cannot disclose without severe penalties. A workaround is the use of “warrant canaries”—regularly published statements indicating no such order has been received. If the canary is not updated on schedule, users can infer that a court order has been issued, without the provider actively violating the order.
Some VPNs offer multi-hop routing, where user traffic passes through servers in different countries. Users sharing an entry node typically use different exit nodes, and vice versa. Other VPNs distribute user traffic among multiple exit servers. These approaches better protect against adversaries with limited international reach, but all bets are off if targeted by more resourceful adversaries.
Tor
Tor is a second-generation onion-routing anonymity system with several thousand anonymizing relays. It is an open system with highly distributed trust and no centralized control. Tor provides anonymity through dynamic, unpredictable, and hard-to-trace routing across a large network of untrusted relays. Unlike VPNs, adversaries can freely participate by running relays, but there is oversight by a core group of trusted developers and relay operators, as well as a vetting process for new relays.
User clients connect to the Tor network by creating encrypted three-relay circuits in random order, frequently changing them. Traffic is transmitted in fixed-size cells (512 bytes). At each hop, a relay removes one layer of encryption, preventing neighboring relays from identifying each other and protecting against malicious relays. Traffic between relays is encrypted with TLS, on top of onion routing encryption, which helps obscure cell patterns from external adversaries.
Many of Tor’s ~6,000 relays have limited uptime, bandwidth, or exit restrictions (e.g., blocking IRC), reducing the effective network size and increasing vulnerability to adversaries who can introduce many attractive relays.
Adversaries and Threat Models
All low-latency anonymity systems are vulnerable to adversaries who can monitor, manipulate, or compromise both ends of a connection. This is true for both VPNs and Tor. Adding more intermediate nodes does not prevent such compromise. Conversely, both systems protect well against weak local adversaries. Let’s examine their vulnerabilities to three canonical classes of adversaries, each inventive in their own way.
Passive and Byzantine Adversaries
Passive adversaries simply intercept and analyze network traffic, trying to correlate flows entering and exiting anonymity systems. “Byzantine” adversaries can mark or otherwise modify traffic, mainly to aid correlation. Realistic passive adversaries are usually also Byzantine, so we group them together. However, there’s a key distinction: anonymity systems cannot detect purely passive adversaries except through subsequent Byzantine activity, making active defense difficult.
There are two types of active adversaries. Sybil adversaries exploit system-level vulnerabilities by running many malicious clients and/or network nodes. Others focus on security flaws in specific network nodes, using them to compromise the system, or target system operators through social engineering, phishing, physical attacks, or legal/political pressure. Such attacks may also target high-value users. These are complex topics beyond the scope of this article. In reality, some adversaries (like the NSA) are strong in all three areas.
Passive Adversaries with Limited Network Reach
For passive and Byzantine adversaries, key resources are network reach for interception, data storage, and computational power for traffic correlation (and for Byzantines, traffic modification). For governments, network access usually depends on legal authority and/or political influence, supplemented by agreements with peers. For non-governmental adversaries (schools, businesses, ISPs), ownership or management rights usually limit network reach. Skilled adversaries with resources can always operate covertly.
All low-latency anonymity systems generally protect against passive adversaries who can access only one end of a connection. This covers most non-governmental adversaries, except top-tier ISPs. Most governments (except the NSA and its partners, like the Five Eyes) can see only one end of international connections. The main challenge is often bypassing perimeter firewalls, such as corporate firewalls or the Great Firewall of China (GFW). Without additional interception, traffic correlation and modification are of limited value.
China is a formidable adversary, but its international network reach appears limited. If this is accurate, all low-latency anonymity systems that can connect through the GFW will reliably protect users in China when accessing destinations outside its control, with three exceptions: (1) they are easily broken for destinations under Chinese control; (2) they are vulnerable to Chinese man-in-the-middle (MitM) attacks, possibly using fake SSL certificates or protocol vulnerabilities; (3) they are to some extent vulnerable to Sybil attacks (see below).
The GFW blocks anonymity systems in at least four ways: (1) blocking access to known entry servers; (2) blocking traffic based on protocol signatures; (3) probing suspected entry servers by impersonating clients; (4) throttling or blocking all encrypted traffic as a last resort.
Anonymity systems can bypass the GFW (and other firewalls) by encapsulating their traffic in more generic connections routed through proxy servers. Some VPNs offer SSH and/or SSL (stunnel) proxies, or use proprietary transport protocols. However, for resourceful adversaries, transport protocol obfuscation is only a temporary fix. Once a proxy is identified, its IP can be blocked, and all users connecting to it can be identified. By monitoring the hosts these users subsequently connect to, more proxies can be discovered.
Distributing proxies is a complex task. Adversaries can enumerate proxies by posing as users, and resourceful adversaries can create many malicious users. Tor bridges are distributed in several ways: volunteers can create bridges and share addresses privately; there is a central BridgeDB database accessible to Tor clients and via its website. Bridges can be distributed through various channels (individual users, private mailing lists, social networks), with each channel’s reputation depending on the fate of the bridges it distributes. New bridges are distributed proportionally to channel reputation.
Passive Adversaries with International Network Reach
Overall, Tor is much less vulnerable to passive adversaries with international network reach than most VPNs. Tor has far more users and nodes (relays), distributed worldwide across many data centers and countries, with no centralized ownership or control. Traffic routes change frequently and unpredictably, making it impractical for most adversaries to obtain enough interceptions.
Global passive adversaries, by definition, must have sufficient interception capability. However, Tor typically has about two million users and several million simultaneous circuits. Tracking a specific Tor circuit would require correlating traffic from one interception (starting at an exit relay or entry guard) with millions of conversations intercepted from thousands of other relays. For a global adversary, this would be trivial, but cross-correlating all simultaneous conversations from all Tor relays would require about 1013 comparisons—not trivial. In other words, all but the most inventive global passive adversaries may be limited by computational resources. In any case, Sybil attacks on Tor are much easier.
Sybil Adversaries
For Sybil adversaries, key assets are large server clusters and fast network links, allowing them to run many malicious clients or attractive network nodes, efficiently analyze collected data, and use the results. The worst case is when they control both clients and network nodes, using them in synergy. Wide network reach is not required—only bandwidth. Sybil adversaries are assumed to have unlimited computational power.
With limited organizational support, anyone with financial resources and experience with large cloud server clusters (e.g., AWS) can become a strong Sybil adversary, at least for a limited time. Given typical cloud computing pricing, massive resources are accessible under certain conditions. China is certainly a formidable Sybil adversary, given its vast technical and human resources. Other plausible examples include skilled individuals, small academic research groups, non-state gangs, and state intelligence agencies.
Sybil Adversaries vs. VPNs
Deploying malicious VPN servers is both difficult (since one entity owns or manages all servers) and immediately fatal to anonymity (since there is usually only one server between users and destinations).
Consider an adversary with limited network reach aiming to deanonymize VPN users accessing, say, a social network or forum. By attracting target users there, they can launch distributed denial-of-service (DDoS) attacks on various VPN servers, possibly initiating fake TLS handshakes from many malicious clients. If these VPN servers lack firewalls limiting new connection rates, this can overload the CPU needed to process traffic for connected clients, even causing outages.
An effective DDoS attack on a VPN server disrupts its users and may take it offline. If successful, the Sybil adversary learns which VPN server each target user connects through. Knowing this, the adversary can attempt to compromise the server directly or approach the operator or hosting provider, using political, legal, or social engineering methods as resources allow.
Adversaries monitoring traffic at exchange points between users and VPN servers may not need to compromise the servers or operators. With an effective DDoS attack, the adversary can observe the impact on both user internet activity and their connection to the server. State-level actors canonically have sufficient resources for such attacks on all low-latency anonymity systems, especially VPNs.
Sybil Adversaries vs. Tor
Although Tor is much larger than individual VPNs, it is an open system where Sybil adversaries can easily mimic both clients and relays. Thus, Tor is likely more vulnerable to Sybil adversaries with limited network reach and no coercive power. In fact, academic research groups have compromised a significant percentage of Tor users for months via Sybil attacks.
Given that agencies like the NSA (or even China) have orders of magnitude more resources, one might assume Tor is defenseless against them. However, while Tor is an open system of untrusted relays, entry and relay behavior is monitored by a core group of trusted developers and operators, and there is a vetting process for new relays to limit destructive or malicious behavior.
In other words, Sybil attacks in Tor are limited more by oversight than by adversary resources. This greatly reduces the advantage of resource-rich adversaries, but only for Sybil attacks. There is no such protection against passive network analysis by adversaries with sufficient network reach, as it cannot be easily detected.
Consider an adversary running many malicious Tor clients and relays, but with no other resources. They have two groups of malicious relays: one to act as entry guards, the other as exit relays. By comparing traffic through circuits served by these groups, they can identify circuits where they control both entry and exit, exposing client IPs and destinations.
Malicious entry guards avoid the “Exit” flag by blocking internet connections and obtain the “Guard” flag by staying online for at least eight days. In practice, malicious entry guards will remain online throughout the attack to maximize their chances. Malicious exit relays aim for the “Exit” flag by allowing internet connections and avoid the “Guard” flag by staying online for a week or less.
The adversary can accelerate and scale this Sybil attack by using malicious clients to DDoS honest relays. By attacking honest entry relays, they can gradually push user clients toward their own malicious entry relays. Similarly, by attacking honest exit relays, they can push users toward their own malicious exit relays.
Authors: Vergil & Pavluu
Onion Market – a free P2P exchange on Telegram.